CVE-2026-0695: High-Severity XSS Flaw Patched in ConnectWise PSA 2026.1

ConnectWise has released a crucial security update for its Professional Services Automation (PSA) platform, addressing two significant vulnerabilities that could allow attackers to weaponize mundane administrative tasks. The flaws, which affect all versions prior to the newly released 2026.1, could expose users to malicious script execution and session hijacking through—of all things—Time Entry notes.

The headline issue in this security fix is CVE-2026-0695, a high-severity vulnerability with a Base Score of 8.7. Identified as a case of “Improper Neutralization of Input During Web Page Generation” (better known as Cross-Site Scripting or XSS), this flaw turns a standard data entry field into a potential launchpad for attacks.

According to the security advisory, the vulnerability stems from a specific condition in “Time Entry note handling”. Without the proper input sanitization provided in the new update, a malicious actor could embed a script into a time entry. When a legitimate user—such as an administrator or finance manager—views that note in either the PSA web client or the PSA Desktop application, the script executes.

This “Stored XSS” vector is particularly dangerous because it waits for the victim to come to it, potentially compromising high-privilege accounts simply by having them review a timesheet.

Accompanying the XSS flaw is a second vulnerability, CVE-2026-0696, which targets the integrity of user sessions. Rated with a Base Score of 6.5, this issue involves a “Sensitive Cookie Without ‘HttpOnly’ Flag”.

The ‘HttpOnly’ flag is a critical defense mechanism that prevents client-side scripts from accessing cookies. By failing to set this flag, the system left “certain session cookies” vulnerable to access by client-side code. When paired with the XSS flaw mentioned above, this creates a potent attack chain: an attacker could inject a script to steal the now-accessible session cookies, potentially allowing them to hijack a user’s account.

ConnectWise has classified the severity of these issues as “Important,” noting that they are “Vulnerabilities that could compromise confidential data or other resources”.

The PSA 2026.1 release explicitly “updates input handling and session cookie configuration to address these issues”.

For administrators, the path to remediation depends on their deployment model:

• Cloud Users: You can breathe easy. ConnectWise has stated that “Cloud instances are automatically being updated to the latest ConnectWise PSA release”.
• On-Premise Users: Immediate action is required. You must “Apply the 2026.1 release patches and ensure all desktop clients are up to date” to close these security gaps.

Security teams using ConnectWise PSA are strongly advised to verify their version number and ensure they have moved past the affected “versions prior to 2026.1”.

Related Posts:

• CISA Adds 5 Actively Exploited Vulnerabilities to KEV Catalog: ASUS Routers, Craft CMS, and ConnectWise Targeted
• Beyond Trust: A New Campaign Is Using a Legitimate Tool to Deliver RATs
• Critical Security Vulnerabilities in ConnectWise ScreenConnect Demand Immediate Patching
• ConnectWise ScreenConnect Targeted by Nation-State Actor
• ConnectWise Patches Critical ViewState RCE Vulnerability in ScreenConnect